Loose lips bring risks: protecting pharma against leaks and fraud
Although Kroll’s Global Fraud and Risk report found the life sciences sector has experienced issues with fraud and leaks, these incidents are rarer than the average and among the lowest of all industries surveyed. But this is not an excuse for the industry to rest on its laurels. Allie Nawrat speaks to Kroll’s Peter Tutton and Justine Radnedge to discuss how life sciences stakeholders can become more proactive.
third of life sciences companies reported they have experienced a major leak of internal information, according to the latest Global Fraud and Risk report by compliance consultancy Kroll.
Although 33% is a significant proportion of life sciences companies and data leaks were seen as the top risk priority for the sector, this figure is lower than the 39% average across all industries.
There were no industries surveyed by Kroll who reported less than 33% for this indicator – but sectors such as financial services and retail, wholesale and distribution also reported this figure.
In fact, the life sciences sector’s figures were predominantly lower than the survey’s average. For example, only 27% of life sciences companies reported they had experienced data theft, which was 2% lower than the average across all sectors.
The life sciences sector also experienced the lowest rates of counterfeiting, grey market activity and fraud by external parties of any industry.
Life sciences’ resilience against fraud
Kroll’s Business Intelligence and Investigations associate managing director Peter Tutton notes that these figures “show [life sciences] is more resilient than other sectors in areas such as fraud, bribery and corruption.”
Tutton believes this is because life sciences “tends to have a fairly mature risk control framework”, as it is one of the most strongly regulated industries and is dealing with extremely personal information. He points to the sector’s particularly “stringent due diligence process”. The Kroll report found that 100% of life sciences respondents noted they conduct due diligence on suppliers and business partners, compared to the 92% average, and 94% noted they did so on merger and acquisition targets, 5% above the average. Linked to this, there was confidence from the life sciences sector in the effectiveness of their reputational due diligence – this was 12% higher than the global average.
85% of industry executives reported consistent responses to risk management incidents.
The sector’s rigorous due diligence approach is likely to be the reason the report found life sciences to be less affected by geopolitical issues, such as sanctions, tariffs and changes in trade agreements, than other sectors, Tutton muses. “The due diligence performed on all partners [means] you are not dealing with sanctioned individuals,” he says, adding that “the fact that they have got this model in place means they are aware of any changes in these markets [regarding] sanctions.”
Another explanation for the sector’s resilience and above-average performance against fraud and leaks is the industry’s impressive consistency in dealing with incidents. The Kroll survey found that 85% of industry executives reported consistent responses to risk management incidents, 10% higher than the global average.
In addition, the report notes that in life sciences there is a clear “tone from the top”. In the words of Kroll Financial Investigations manager focusing on the life sciences sector Justine Radnedge, that integrity, compliance and accountability are important to any company or organisation.
Don’t be complacent about existing risk strategies
Tutton says the primary purpose of Kroll’s report is to “stimulate conversations” both internally and externally about “emerging risks both within the life sciences market and within the wider business environment” to see if companies “have got them under control or if there is an opportunity to put further procedures in place”.
It is essential that companies do not blindly continue to rely on existing frameworks, which may be outdated and becoming inefficient. Tutton notes that although a company “might have had someone in three years ago to perform a root-and-branch review of procedures, they haven’t continued to assess this”. There is a need for firms to ensure their “security systems are fit for purpose” through penetration testing and software updates.
A whistleblowing policy is only as good as people’s confidence in it.
As an example of the need for life sciences to not rest on its laurels about the effectiveness of existing protocols, Tutton expresses concern about the sector’s attitude to whistleblowing policies. Kroll’s report found that 73% of life sciences executives saw whistleblowing as an effective means to detect threats, compared to the 65% global average.
However, he notes: “One of the conversations I have had quite often with clients involves them saying, 'Yes, we have a whistleblowing procedure and a hotline, but no-one ever uses it so everything is good.’ But for me, that is not indicative of a successful whistleblowing policy.”
“I would [want]…to delve a little bit deeper to find out why they have this comfort with these procedures and [whether they] have assessed them correctly? A whistleblowing policy is only as good as people’s confidence in it.”
Preparing for new risks
Kroll’s fraud and risk report established that the top future concern and risk for the life sciences industry is large-scale coordinated cyberattacks; this was the case for the majority of other sectors also surveyed.
Tutton highlights risks from social media as an example of a new concern that has become more prevalent since the last report.
The top future concern for the life sciences industry is large-scale coordinated cyberattacks.
Although adversarial social media activity was reportedly 6% less common for life sciences than the average, this is still a concern for the industry and is an example of an emerging risk that “may not have been considered within an organisation’s risk framework or response plan”.
To respond to these new cyber-related threats, Tutton and Radnedge note the need for life sciences companies to be proactive, rather than reactive, in their risk management strategies.
They need to “continually assess and monitor potential threats so that issues can be detected early, before they escalate,” says Tutton. This would improve speed of response to data leaks for example, which the report showed was one of the industry’s priorities, as well as better halt the spread of sensitive information without the need to consult with expert advisors, such as Kroll, or legal counsel.